Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[MSITE-829] Upgrade Jetty to 9.4.x implicit java8 requirement now #21

Merged
merged 2 commits into from
Feb 23, 2022

Conversation

olamy
Copy link
Member

@olamy olamy commented May 14, 2020

No description provided.

pom.xml Outdated Show resolved Hide resolved
Jenkinsfile Outdated Show resolved Hide resolved
@@ -196,11 +196,11 @@ under the License.

<properties>
<mavenVersion>3.0</mavenVersion>
<javaVersion>7</javaVersion>
<javaVersion>8</javaVersion>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This change should probably be made, if at all, in its own PR, not as a driveby of a minor version dependency update

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we need 8 for the change so let's do it all together
except having a sort of bureaucratic own PR I cannot see the technical need :)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@olamy I am the bureaucratic person. This needs to be changelog visible.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it's ALREADY there https://issues.apache.org/jira/browse/MSITE-828 and the git comment will clearly says that

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good, let's re-merge MSITE-828 first.

@olamy olamy marked this pull request as ready for review May 16, 2020 01:43
@olamy olamy changed the title [MSITE-829] Upgrade Jetty to 9.4.x [MSITE-829] Upgrade Jetty to 9.4.x implicit java8 requirement now May 18, 2020
pom.xml Outdated Show resolved Hide resolved
pom.xml Outdated Show resolved Hide resolved
pom.xml Outdated Show resolved Hide resolved
@@ -623,6 +624,7 @@ under the License.
<maven.compiler.source>${maven.compiler.source}</maven.compiler.source>
<maven.compiler.target>${maven.compiler.target}</maven.compiler.target>
</properties>
<javaHome>${java.home}</javaHome>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is that necessary?

@@ -76,7 +76,7 @@ under the License.
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-javadoc-plugin</artifactId>
<version>2.7</version>
<version>@javadocPluginVersion@</version>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How are these related?

Copy link
Member Author

@olamy olamy May 19, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I use java11 so the IT tests were failing for locally because of this and need more recent java version

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes sense, but should be a separate PR because it is logically not related.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sorry but I will not do it. Maybe I should create a Jira ticket as well.
Seriously stop such nit picking... I prefer spend my time on more useful stuff for the project than waste my time remove this commit creating a branch and a separate PR only for this...
I don't see why it's useful for the project.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1 on the JIRA ticket. If you are not willing to clean up. Leave as-is and have someone else clean it up. No issue.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LOL thanks you made my day

@olamy olamy force-pushed the MSITE-829 branch 2 times, most recently from 249b4a8 to 64d4100 Compare June 8, 2020 00:35
@yeikel
Copy link

yeikel commented Aug 27, 2021

Hi, what's blocking this? 9.2.29 is not safe anymore

@michael-o
Copy link
Member

Hi, what's blocking this? 9.2.29 is not safe anymore

Not safe for what?

@yeikel
Copy link

yeikel commented Aug 28, 2021

Hi, what's blocking this? 9.2.29 is not safe anymore

Not safe for what?

Sorry, my initial comment was vague.

There are a couple of security vulnerabilities against Jetty, such as :

CVE-2021-28165
CVE-2021-28164
CVE-2021-28163

Read more : https://www.cybersecurity-help.cz/vdb/SB2021040179
https://www.eclipse.org/jetty/security_reports.php

@michael-o
Copy link
Member

Hi, what's blocking this? 9.2.29 is not safe anymore

Not safe for what?

Sorry, my initial comment was vague.

There are a couple of security vulnerabilities against Jetty, such as :

CVE-2021-28165
CVE-2021-28164
CVE-2021-28163

Read more : https://www.cybersecurity-help.cz/vdb/SB2021040179
https://www.eclipse.org/jetty/security_reports.php

and none of them affect this plugin if you'd knew what we do with Jetty.

@yeikel
Copy link

yeikel commented Sep 1, 2021

Hi, what's blocking this? 9.2.29 is not safe anymore

Not safe for what?

Sorry, my initial comment was vague.

There are a couple of security vulnerabilities against Jetty, such as :

CVE-2021-28165
CVE-2021-28164
CVE-2021-28163

Read more : https://www.cybersecurity-help.cz/vdb/SB2021040179
https://www.eclipse.org/jetty/security_reports.php

and none of them affect this plugin if you'd knew what we do with Jetty.

That makes sense. Problem is that security scans do not have the background about how this is used within the plugin and they simply block the build when the plugin tries to pull Jetty

@michael-o
Copy link
Member

Hi, what's blocking this? 9.2.29 is not safe anymore

Not safe for what?

Sorry, my initial comment was vague.
There are a couple of security vulnerabilities against Jetty, such as :
CVE-2021-28165
CVE-2021-28164
CVE-2021-28163
Read more : https://www.cybersecurity-help.cz/vdb/SB2021040179
https://www.eclipse.org/jetty/security_reports.php

and none of them affect this plugin if you'd knew what we do with Jetty.

That makes sense. Problem is that security scans do not have the background about how this is used within the plugin and they simply block the build when the plugin tries to pull Jetty

Therefore, I consider them partially useless. Just like this.

Maybe someone can rework the PR.

@yeikel
Copy link

yeikel commented Sep 1, 2021

Somewhat. They block Jetty for everyone(including the projects where the vulnerabilities applies) which affects this plugin indirectly.

If it helps, what we use is similar to this :
https://www.google.com/amp/s/blog.sonatype.com/keeping-third-party-dependencies-in-check-with-nexus%3fhs_amp=true

If this PR is considered stale then I can resume and maybe target the latest version instead?

@michael-o
Copy link
Member

Somewhat. They block Jetty for everyone(including the projects where the vulnerabilities applies) which affects this plugin indirectly.

If it helps, what we use is similar to this :
https://www.google.com/amp/s/blog.sonatype.com/keeping-third-party-dependencies-in-check-with-nexus%3fhs_amp=true

Many vendors provide this superficial crap -- as you can see it proves nothing here.

If this PR is considered stale then I can resume and maybe target the latest version instead?

Split between Java 8 upgrade and Jetty upgrade in at least two PRs.

@hboutemy @rfscholte Yet another reason why we need to split this plugin in two.

@olamy
Copy link
Member Author

olamy commented Sep 2, 2021

Somewhat. They block Jetty for everyone(including the projects where the vulnerabilities applies) which affects this plugin indirectly.
If it helps, what we use is similar to this :
https://www.google.com/amp/s/blog.sonatype.com/keeping-third-party-dependencies-in-check-with-nexus%3fhs_amp=true

Many vendors provide this superficial crap -- as you can see it proves nothing here.

@michael-o
so many tools send warning/alarms because of dependencies with security issues/CVE.
maybe (certainly) it's wrong but big companies use those tools as a policy and we can't fight this!!
BUT we still want people using Apache Maven so we have to live with that!

@yeikel
I will update this PR

If this PR is considered stale then I can resume and maybe target the latest version instead?

Split between Java 8 upgrade and Jetty upgrade in at least two PRs.

@hboutemy @rfscholte Yet another reason why we need to split this plugin in two.

@yeikel
Copy link

yeikel commented Sep 2, 2021

Somewhat. They block Jetty for everyone(including the projects where the vulnerabilities applies) which affects this plugin indirectly.
If it helps, what we use is similar to this :
https://www.google.com/amp/s/blog.sonatype.com/keeping-third-party-dependencies-in-check-with-nexus%3fhs_amp=true

Many vendors provide this superficial crap -- as you can see it proves nothing here.

@michael-o
so many tools send warning/alarms because of dependencies with security issues/CVE.
maybe (certainly) it's wrong but big companies use those tools as a policy and we can't fight this!!
BUT we still want people using Apache Maven so we have to live with that!

@yeikel
I will update this PR

If this PR is considered stale then I can resume and maybe target the latest version instead?

Split between Java 8 upgrade and Jetty upgrade in at least two PRs.

@hboutemy @rfscholte Yet another reason why we need to split this plugin in two.

Definitely. We had to overwrite the version manually in our build to be able to use the plugin but doing so without the corresponding tests could introduce unexpected regressions for us

@olamy olamy force-pushed the MSITE-829 branch 2 times, most recently from 625ee31 to 88aa108 Compare September 2, 2021 00:55
@michael-o
Copy link
Member

Somewhat. They block Jetty for everyone(including the projects where the vulnerabilities applies) which affects this plugin indirectly.
If it helps, what we use is similar to this :
https://www.google.com/amp/s/blog.sonatype.com/keeping-third-party-dependencies-in-check-with-nexus%3fhs_amp=true

Many vendors provide this superficial crap -- as you can see it proves nothing here.

@michael-o
so many tools send warning/alarms because of dependencies with security issues/CVE.
maybe (certainly) it's wrong but big companies use those tools as a policy and we can't fight this!!
BUT we still want people using Apache Maven so we have to live with that!

I know and that is sadly stupid.

@slachiewicz
Copy link
Member

Total 5 (delta 2), reused 0 (delta 0), pack-reused 0 remote: remote: remote: remote: GitHub found 18 vulnerabilities on apache/maven-site-plugin's default branch (15 high, 2 moderate, 1 low). To find out more, visit: remote: remote: https://github.com/apache/maven-site-plugin/security/dependabot remote: remote:

@slachiewicz
Copy link
Member

@olamy builds fails only on Maven 3.8.2, same on the master branch

@olamy
Copy link
Member Author

olamy commented Sep 2, 2021

@slachiewicz I saw and I guess because of https://issues.apache.org/jira/browse/MNG-7215

@slawekjaranowski
Copy link
Member

@olamy builds fails only on Maven 3.8.2, same on the master branch

All GitHub runners will have Maven 3.8.2 in a moment
actions/runner-images#3969

@yeikel
Copy link

yeikel commented Dec 2, 2021

Sorry to bump, but what happened to this?

@olamy
Copy link
Member Author

olamy commented Dec 3, 2021

I rebased from master.
will wait few days and if no complain I will merge that.

@olamy olamy closed this Dec 3, 2021
@olamy olamy reopened this Dec 3, 2021
@yeikel
Copy link

yeikel commented Feb 22, 2022

I rebased from master. will wait few days and if no complain I will merge that.

Did you get a chance to work on this?

- build from 8 only and we do not support anymore 3.0.x

- improve gh action

Signed-off-by: Olivier Lamy <olamy@apache.org>
Signed-off-by: Olivier Lamy <olamy@apache.org>
@olamy olamy merged commit 0b1c775 into master Feb 23, 2022
@olamy olamy deleted the MSITE-829 branch February 23, 2022 06:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

9 participants